<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content=
    "application/xhtml+xml; charset=iso-8859-1" />
    <title>
      make-ca-1.5
    </title>
    <link rel="stylesheet" type="text/css" href="../stylesheets/lfs.css" />
    <meta name="generator" content="DocBook XSL Stylesheets V1.79.1" />
    <link rel="stylesheet" href="../stylesheets/lfs-print.css" type=
    "text/css" media="print" />
  </head>
  <body class="blfs" id="blfs-9.1">
    <div class="navheader">
      <h4>
        Beyond Linux<sup>�</sup> From Scratch <span class="phrase">(System
        V</span> Edition) - Version 9.1
      </h4>
      <h3>
        Chapter&nbsp;4.&nbsp;Security
      </h3>
      <ul>
        <li class="prev">
          <a accesskey="p" href="vulnerabilities.html" title=
          "Vulnerabilities">Prev</a>
          <p>
            Vulnerabilities
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="cracklib.html" title=
          "CrackLib-2.9.7">Next</a>
          <p>
            CrackLib-2.9.7
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 9.1">Home</a>
        </li>
      </ul>
    </div>
    <div class="sect1" lang="en" xml:lang="en">
      <h1 class="sect1">
        <a id="make-ca" name="make-ca"></a>make-ca-1.5
      </h1>
      <div class="package" lang="en" xml:lang="en">
        <h2 class="sect2">
          Introduction to make-ca
        </h2>
        <p>
          Public Key Infrastructure (PKI) is a method to validate the
          authenticity of an otherwise unknown entity across untrusted
          networks. PKI works by establishing a chain of trust, rather than
          trusting each individual host or entity explicitly. In order for a
          certificate presented by a remote entity to be trusted, that
          certificate must present a complete chain of certificates that can
          be validated using the root certificate of a Certificate Authority
          (CA) that is trusted by the local machine.
        </p>
        <p>
          Establishing trust with a CA involves validating things like
          company address, ownership, contact information, etc., and ensuring
          that the CA has followed best practices, such as undergoing
          periodic security audits by independent investigators and
          maintaining an always available certificate revocation list. This
          is well outside the scope of BLFS (as it is for most Linux
          distributions). The certificate store provided here is taken from
          the Mozilla Foundation, who have established very strict inclusion
          policies described <a class="ulink" href=
          "https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">
          here</a>.
        </p>
        <p>
          This package is known to build and work properly using an LFS-9.1
          platform.
        </p>
        <h3>
          Package Information
        </h3>
        <div class="itemizedlist">
          <ul class="compact">
            <li class="listitem">
              <p>
                Download (HTTP): <a class="ulink" href=
                "https://github.com/djlucas/make-ca/releases/download/v1.5/make-ca-1.5.tar.xz">
                https://github.com/djlucas/make-ca/releases/download/v1.5/make-ca-1.5.tar.xz</a>
              </p>
            </li>
            <li class="listitem">
              <p>
                Download size: 32 KB
              </p>
            </li>
            <li class="listitem">
              <p>
                Download MD5 Sum: 0d50d9e0c9ebd6059fe4116353f2d5be
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated disk space required: 6.6 MB (with all runtime deps)
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated build time: 0.1 SBU (with all runtime deps)
              </p>
            </li>
          </ul>
        </div>
        <h3>
          make-ca Dependencies
        </h3>
        <h4>
          Required
        </h4>
        <p class="required">
          <a class="xref" href="p11-kit.html" title=
          "p11-kit-0.23.20">p11-kit-0.23.20</a> (required at runtime to
          generate certificate stores from trust anchors)
        </p>
        <h4>
          Optional (runtime)
        </h4>
        <p class="optional">
          <a class="xref" href="../general/java.html" title=
          "Java-12.0.2">Java-12.0.2</a> or <a class="xref" href=
          "../general/openjdk.html" title="OpenJDK-12.0.2">OpenJDK-12.0.2</a>
          (to generate a java PKCS#12 store), and <a class="xref" href=
          "nss.html" title="NSS-3.50">NSS-3.50</a> (to generate a shared
          NSSDB)
        </p>
        <p class="usernotes">
          User Notes: <a class="ulink" href=
          "http://wiki.linuxfromscratch.org/blfs/wiki/make-ca">http://wiki.linuxfromscratch.org/blfs/wiki/make-ca</a>
        </p>
      </div>
      <div class="installation" lang="en" xml:lang="en">
        <h2 class="sect2">
          Installation of make-ca
        </h2>
        <p>
          The <span class="application">make-ca</span> script will download
          and process the certificates included in the <code class=
          "filename">certdata.txt</code> file for use as trust anchors for
          the <a class="xref" href="p11-kit.html" title=
          "p11-kit-0.23.20">p11-kit-0.23.20</a> trust module. Additionally,
          it will generate system certificate stores used by BLFS
          applications (if the recommended and optional applications are
          present on the system). Any local certificates stored in
          <code class="filename">/etc/ssl/local</code> will be imported to
          both the trust anchors and the generated certificate stores
          (overriding Mozilla's trust). Additionally, any modified trust
          values will be copied from the trust anchors to <code class=
          "filename">/etc/ssl/local</code> prior to any updates, preserving
          custom trust values that differ from Mozilla when using the
          <span class="command"><strong>trust</strong></span> utility from
          <span class="application">p11-kit</span> to operate on the trust
          store.
        </p>
        <p>
          To install the various certificate stores, first install the
          <span class="application">make-ca</span> script into the correct
          location. As the <code class="systemitem">root</code> user:
        </p>
        <pre class="root">
<kbd class="command">make install &amp;&amp;
install -vdm755 /etc/ssl/local</kbd>
</pre>
        <p>
          As the <code class="systemitem">root</code> user, after installing
          <a class="xref" href="p11-kit.html" title=
          "p11-kit-0.23.20">p11-kit-0.23.20</a>, download the certificate
          source and prepare for system use with the following command:
        </p>
        <div class="admon note">
          <img alt="[Note]" src="../images/note.png" />
          <h3>
            Note
          </h3>
          <p>
            If running the script a second time with the same version of
            <code class="filename">certdata.txt</code>, for instance, to add
            additional stores as the requisite software is installed, add the
            <em class="parameter"><code>-r</code></em> switch to the command
            line. If packaging, run <span class="command"><strong>make-ca
            --help</strong></span> to see all available command line options.
          </p>
        </div>
        <pre class="root">
<kbd class="command">/usr/sbin/make-ca -g</kbd>
</pre>
        <p>
          You should periodically update the store with the above command,
          either manually, or via a <span class="phrase">cron job.</span>
          <span class="phrase">If you've installed <a class="xref" href=
          "../general/fcron.html" title="Fcron-3.2.1">Fcron-3.2.1</a> and
          completed the section on periodic jobs, execute</span> the
          following commands, as the <code class="systemitem">root</code>
          user, to <span class="phrase">create a weekly cron job:</span>
        </p>
        <pre class="root">
<kbd class="command">install -vdm755 /etc/cron.weekly              &amp;&amp;
cat &gt; /etc/cron.weekly/update-pki.sh &lt;&lt; "EOF" &amp;&amp;
<code class="literal">#!/bin/bash
/usr/sbin/make-ca -g</code>
EOF
chmod 754 /etc/cron.weekly/update-pki.sh</kbd>
</pre>
      </div>
      <div class="configuration" lang="en" xml:lang="en">
        <h2 class="sect2">
          <a id="make-ca-config" name="make-ca-config"></a>Configuring
          make-ca
        </h2>
        <p>
          For most users, no additional configuration is necessary, however,
          the default <code class="filename">certdata.txt</code> file
          provided by make-ca is obtained from the mozilla-release branch,
          and is modified to provide a Mercurial revision. This will be the
          correct version for most systems. There are several other variants
          of the file available for use that might be preferred for one
          reason or another, including the files shipped with Mozilla
          products in this book. RedHat and OpenSUSE, for instance, use the
          version included in <a class="xref" href="nss.html" title=
          "NSS-3.50">NSS-3.50</a>. Additional upstream downloads are
          available at the links included in <code class=
          "filename">/etc/make-ca.conf.dist</code>. Simply copy the file to
          <code class="filename">/etc/make-ca.conf</code> and edit as
          appropriate.
        </p>
        <h3>
          About Trust Arguments
        </h3>
        <p>
          There are three trust types that are recognized by the <span class=
          "application">make-ca</span> script, SSL/TLS, S/Mime, and code
          signing. For <span class="application">OpenSSL</span>, these are
          <em class="parameter"><code>serverAuth</code></em>, <em class=
          "parameter"><code>emailProtection</code></em>, and <em class=
          "parameter"><code>codeSigning</code></em> respectively. If one of
          the three trust arguments is omitted, the certificate is neither
          trusted, nor rejected for that role. Clients that use <span class=
          "application">OpenSSL</span> or <span class=
          "application">NSS</span> encountering this certificate will present
          a warning to the user. Clients using <span class=
          "application">GnuTLS</span> without <span class=
          "application">p11-kit</span> support are not aware of trusted
          certificates. To include this CA into the <code class=
          "filename">ca-bundle.crt</code>, <code class=
          "filename">email-ca-bundle.crt</code>, or <code class=
          "filename">objsign-ca-bundle.crt</code> files (the <span class=
          "application">GnuTLS</span> legacy bundles), it must have the
          appropriate trust arguments.
        </p>
        <h3>
          Adding Additional CA Certificates
        </h3>
        <p>
          The <code class="filename">/etc/ssl/local</code> directory is
          available to add additional CA certificates to the system. For
          instance, you might need to add an organization or government CA
          certificate. Files in this directory must be in the <span class=
          "application">OpenSSL</span> trusted certificate format. To create
          an <span class="application">OpenSSL</span> trusted certificate
          from a regular PEM encoded file, you need to add trust arguments to
          the <span class="command"><strong>openssl</strong></span> command,
          and create a new certificate. For example, using the <a class=
          "ulink" href="http://www.cacert.org/">CAcert</a> roots, if you want
          to trust both for all three roles, the following commands will
          create appropriate OpenSSL trusted certificates (run as the
          <code class="systemitem">root</code> user after <a class="xref"
          href="../basicnet/wget.html" title="Wget-1.20.3">Wget-1.20.3</a> is
          installed):
        </p>
        <pre class="userinput">
<kbd class="command">wget http://www.cacert.org/certs/root.crt &amp;&amp;
wget http://www.cacert.org/certs/class3.crt &amp;&amp;
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
        &gt; /etc/ssl/local/CAcert_Class_1_root.pem &amp;&amp;
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
        &gt; /etc/ssl/local/CAcert_Class_3_root.pem &amp;&amp;
/usr/sbin/make-ca -r -f</kbd>
</pre>
        <h3>
          Overriding Mozilla Trust
        </h3>
        <p>
          Occasionally, there may be instances where you don't agree with
          Mozilla's inclusion of a particular certificate authority. If you'd
          like to override the default trust of a particular CA, simply
          create a copy of the existing certificate in <code class=
          "filename">/etc/ssl/local</code> with different trust arguments.
          For example, if you'd like to distrust the "Makebelieve_CA_Root"
          file, run the following commands:
        </p>
        <pre class="userinput">
<kbd class=
"command">openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
             -text \
             -fingerprint \
             -setalias "Disabled Makebelieve CA Root" \
             -addreject serverAuth \
             -addreject emailProtection \
             -addreject codeSigning \
       &gt; /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &amp;&amp;
/usr/sbin/make-ca -r -f</kbd>
</pre>
      </div>
      <div class="content" lang="en" xml:lang="en">
        <h2 class="sect2">
          Contents
        </h2>
        <div class="segmentedlist">
          <div class="seglistitem">
            <div class="seg">
              <strong class="segtitle">Installed Programs:</strong>
              <span class="segbody">make-ca</span>
            </div>
            <div class="seg">
              <strong class="segtitle">Installed Directories:</strong>
              <span class="segbody">/etc/ssl/{certs,local} and
              /etc/pki/{nssdb,anchors,tls/{certs,java}}</span>
            </div>
          </div>
        </div>
        <div class="variablelist">
          <h3>
            Short Descriptions
          </h3>
          <table border="0" class="variablelist">
            <colgroup>
              <col align="left" valign="top" />
              <col />
            </colgroup>
            <tbody>
              <tr>
                <td>
                  <p>
                    <a id="make-ca-bin" name="make-ca-bin"></a><span class=
                    "term"><span class=
                    "command"><strong>make-ca</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a shell script that adapts a current version of
                    <code class="filename">certdata.txt</code>, and prepares
                    it for use as the system trust store.
                  </p>
                </td>
              </tr>
            </tbody>
          </table>
        </div>
      </div>
      <p class="updated">
        Last updated on 2020-02-15 08:54:30 -0800
      </p>
    </div>
    <div class="navfooter">
      <ul>
        <li class="prev">
          <a accesskey="p" href="vulnerabilities.html" title=
          "Vulnerabilities">Prev</a>
          <p>
            Vulnerabilities
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="cracklib.html" title=
          "CrackLib-2.9.7">Next</a>
          <p>
            CrackLib-2.9.7
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 9.1">Home</a>
        </li>
      </ul>
    </div>
  </body>
</html>
